mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-07-31 14:00:31 +02:00
Code Issues Releases Wiki Activity

several security fixes in admin pages

Browse Source 
changed bbcode to only allow jpg, jpeg, gif and png


git-svn-id: file:///svn/phpbb/branches/phpBB-2_0_0@4876 89ea8834-ac86-4346-8a33-228a782c2dd0
This commit is contained in:
Meik Sievertsen
2004-03-25 15:57:20 +00:00
parent 79c15bd7c1
commit 234b1f13de
21 changed files with 1038 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
phpBB/includes/bbcode.php
View File

@@ -281,7 +281,7 @@ function bbencode_first_pass($text, $uid)
$text = preg_replace("#\[i\](.*?)\[/i\]#si", "[i:$uid]\\1[/i:$uid]", $text);
// [img]image_url_here[/img] code..
$text = preg_replace("#\[img\]((ht|f)tp://)([^ \?&=\"\n\r\t<])[/img\]#sie", "'[img:$uid]\\1' . str_replace(' ', '%20', '\\3') . '[/img:$uid]'", $text);
$text = preg_replace("#\[img\]((ht|f)tp://)([^ \?&=\"\n\r\t<]*?(\.(jpg|jpeg|gif|png)))\[/img\]#sie", "'[img:$uid]\\1' . str_replace(' ', '%20', '\\3') . '[/img:$uid]'", $text);
// Remove our padding from the string..
return substr($text, 1);;

2
phpBB/includes/functions_search.php
View File

@@ -198,6 +198,7 @@ function add_search_words($mode, $post_id, $post_text, $post_title = '')
$value_sql .= ( ( $value_sql != '' ) ? ', ' : '' ) . '(\'' . $word[$i] . '\', 0)';
break;
case 'mssql':
case 'mssql-odbc':
$value_sql .= ( ( $value_sql != '' ) ? ' UNION ALL ' : '' ) . "SELECT '" . $word[$i] . "', 0";
break;
default:
@@ -222,6 +223,7 @@ function add_search_words($mode, $post_id, $post_text, $post_title = '')
VALUES $value_sql";
break;
case 'mssql':
case 'mssql-odbc':
$sql = "INSERT INTO " . SEARCH_WORD_TABLE . " (word_text, word_common)
$value_sql";
break;

2
phpBB/includes/usercp_register.php
View File

@@ -177,7 +177,7 @@ if (
$board_config['default_dateformat'] = $row['config_value'];
$user_dateformat = ( !empty($HTTP_POST_VARS['dateformat']) ) ? trim(htmlspecialchars($HTTP_POST_VARS['dateformat'])) : $board_config['default_dateformat'];
$user_avatar_local = ( isset($HTTP_POST_VARS['avatarselect']) && !empty($HTTP_POST_VARS['submitavatar']) && $board_config['allow_avatar_local'] ) ? $HTTP_POST_VARS['avatarselect'] : ( ( isset($HTTP_POST_VARS['avatarlocal']) ) ? htmlspecialchars($HTTP_POST_VARS['avatarlocal']) : '' );
$user_avatar_local = ( isset($HTTP_POST_VARS['avatarselect']) && !empty($HTTP_POST_VARS['submitavatar']) && $board_config['allow_avatar_local'] ) ? htmlspecialchars($HTTP_POST_VARS['avatarselect']) : ( ( isset($HTTP_POST_VARS['avatarlocal']) ) ? htmlspecialchars($HTTP_POST_VARS['avatarlocal']) : '' );
$user_avatar_remoteurl = ( !empty($HTTP_POST_VARS['avatarremoteurl']) ) ? trim(htmlspecialchars($HTTP_POST_VARS['avatarremoteurl'])) : '';
$user_avatar_upload = ( !empty($HTTP_POST_VARS['avatarurl']) ) ? trim($HTTP_POST_VARS['avatarurl']) : ( ( $HTTP_POST_FILES['avatar']['tmp_name'] != "none") ? $HTTP_POST_FILES['avatar']['tmp_name'] : '' );